Analysis2023-08-10

Earning.Farm Lost $536,000 Due to Logic Flaw in Smart Contract "Withdraw" Function

Tags

Attack
AI Security
Web3 Security
Smart Contract
vulnerability
MetaScan

2 Minutes Read

Daniel Tan

Daniel Tan

Security Operation / Audit

Summary

Earning.Farm fell victim to smart contract logic vulnerability, suffering loss of approximately 288 ETH.

In a recent turn of events, Earning.Farm, a project deployed on the Ethereum blockchain, has fallen prey to a malicious attack due to contract logic vulnerabilities. As indicated by MetaTrust Alerts' Twitter post, the extent of the damage incurred by this attack has surged to around 288 ETH, equating to a staggering value of approximately $536,000 USD. It's noteworthy that all tokens have been transferred to a new wallet address, specifically 0xee4b3d.

The root cause of this vulnerability can be attributed to a flawed function within the "EFVault" contract, namely the "withdraw" function. This particular function, fraught with logic flaws, allows the user to burn the user's ENF_ETHLEV balance even if it is less than the expected amount of shares.

Attacking Steps

  1. The attacker procured 10,000 Ethereum tokens through a flash loan, subsequently depositing 80 of these tokens into the ENF_ETHLEV contract. This move granted the attacker ownership of 295e18 shares.
  2. The attacker withdraws 295e18 shares from the ENF_ETHLEV contract by calling the withdraw function. Then, the "withdraw" function calls the withdraw function of the external contract "controller", retrieves 80ETH, and triggers the fallback function of the attacker's contract at the same time.
  3. Within the confines of the fallback function, the attacker skillfully transferred (295e18-1000) ENF_ETHLEV tokens to a new wallet address, represented as 0xfd29f2. Consequently, the attacker incurred a mere loss of 1000 ENF_ETHLEV tokens.
  4. The attacker converted the ENF_ETHLEV tokens residing within the 0xfd29f2 wallet into ETH. This enabled the assailant to both repay the flash loan and capitalize on the situation to reap profits.

One of the transactions executed in the course of this attack is depicted below: https://etherscan.io/tx/0x878d8986ed05ab32cc01e05663d27ea471576d2baff1081b15ed5fb550f9d81b 111.png Check MetaTrust Alerts' tweet: https://twitter.com/MetaTrustAlert/status/1689196222048030721?s=20

About Us

At MetaTrust, our primary focus is on creating a secure infrastructure that caters to the needs of developers in the WEB 3.0 space. We offer an array of AI-Driven automation tools and security services to assist Web3 developers and project stakeholders in achieving a secure development environment.

Website || Twitter || Try MetaScan for FREE

Share this article

Previous
Analyzing the Centralization Risks of TipCoin ($TIP)
Next
Curve Cracked: How $52M Vanished in a Vyper Vulnerability